Cross-Site Scripting Bug Discovered on Amazon
According to a security researcher famous by nickname "SeeMe" said that a critical persistent cross-site scripting (XSS) flaw was found on Amazon.com (America's largest online retailer) on 30th Sept. 2010, as reported by xssed on 4th Oct. 2010.
As per the security experts, this flaw can be extremely hazardous as XSS weaknesses can be abused to embed illegitimate or malicious code into the actual web pages.
This XSS vulnerability is situated in the "Title" column of the form, which is used to publish new products in Amazon's catalog and to replicate the flaw, a Pro Merchant ($39.99) subscription is required otherwise the user cannot register his own item to the Amazon catalog.
This problem occurs because of the product title parameter not appropriately sanitizing the data passed through the flaw field, which in subsidiary permits the prospective cybercriminals to insert faulty code like persistent XSS in the resulting product page input.
The product's page is immediately displayed in Google SERPs (Search Engine Results Page) after the add-on of a new product, and pretty immediately in Amazon's search results as well. This implies that the infected product page was noticeable via Google, but it could have also been utilized to craft a convincing e-mail based phishing attack.
According to the reports, the researcher formed an evidence of concept listing, which encouraged an alert box with the user's session cookie, but he could have easily sent it to a remote website under his control.
Commenting on the whole issue Dimitris Pagkalos, Co-founder of the XSSed Project said that the attackers could make a new Pro Merchant account using stolen credit/debit cards' information and prove their identity by means of a public telephone or an unauthorized phone number. Innocent Amazon users are more prone to faulty XSS attacks that attack private and monetary information. In case if the attackers utilize a trendy keyword in the XSS attack vector, an even huge number of Amazon users could be infected, as reported by Softpedia on 4th Oct. 2010.
» SPAMfighter News - 14-10-2010